cloud.netskope
Introduction
The tags beginning with cloud.netskope
identify events generated by Netskope.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as cloud.netskope
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Netskope cloud |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in this table:
cloud.netskope.events
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
|
|
|
timestamp |
| timestamp(timestamp__tmp * 1000) | timestamp__tmp |
|
insertion_epoch_timestamp |
| timestamp(_insertion_epoch_timestamp__tmp * 1000) | _insertion_epoch_timestamp__tmp |
|
type |
|
|
|
|
traffic_type |
|
|
|
|
category |
|
|
|
|
appcategory |
|
|
|
|
url |
|
|
|
|
user |
|
|
|
|
app_session_id |
|
|
|
|
acked |
|
|
|
|
alert_name |
|
|
|
|
srcip |
|
|
|
|
dstip |
|
|
|
|
dstport |
|
|
|
|
dsthost |
|
|
|
|
client_bytes |
|
|
|
|
server_bytes |
|
|
|
|
user_id |
|
|
|
|
act_user |
|
|
|
|
owner |
|
|
|
|
activity |
|
|
|
|
shared_with |
|
|
|
|
app |
|
|
|
|
policy |
|
|
|
|
shared_domains |
|
|
|
|
action |
|
|
|
|
file_path |
|
|
|
|
browser |
|
|
|
|
site |
|
|
|
|
object |
|
|
|
|
file_size |
|
|
|
|
device |
|
|
|
|
mime_type |
|
|
|
|
alert |
|
|
|
|
instance_id |
|
|
|
|
app_activity |
|
|
|
|
md5 |
|
|
|
|
session_begin |
|
|
|
|
scan_type |
|
|
|
|
os |
|
|
|
|
exposure |
|
|
|
|
organization_unit |
| (organization_unit__tmp = "") ? null('') : organization_unit__tmp | organization_unit__tmp |
|
file_type |
|
|
|
|
userkey |
|
|
|
|
ns_activity |
|
|
|
|
access_method |
|
|
|
|
status |
|
|
|
|
msg |
| msg__tmp |
| |
object_id |
|
|
|
|
id |
|
|
|
|
modified |
|
|
|
|
object_type |
|
|
|
|
cci |
|
|
|
|
suppression_key |
|
|
|
|
ccl |
|
|
|
|
alert_type |
|
|
|
|
file_lang |
|
|
|
|
instance |
|
|
|
|
dlp_incident_id |
|
|
|
|
dlp_rule_severity |
|
|
|
|
dlp_rule_count |
|
|
|
|
dlp_parent_id |
|
|
|
|
dlp_profile |
|
|
|
|
dlp_rule |
|
|
|
|
dlp_file |
|
|
|
|
count |
|
|
|
|
from_user |
|
|
|
|
aggregated_user |
|
|
|
|
req_cnt |
|
|
|
|
serial |
|
|
|
|
fromlogs |
|
|
|
|
numbytes |
|
|
|
|
resp_cnt |
|
|
|
|
log_file_name |
|
|
|
|
useragent |
|
|
|
|
page_duration |
|
|
|
|
netskope_activity |
|
|
|
|
other_categories |
|
|
|
|
src_geoip_src |
|
|
|
|
ur_normalized |
|
|
|
|
user_category |
|
|
|
|
user_name |
|
|
|
|
user_role |
|
|
|
|
userip |
|
|
|
|
collaborated |
|
|
|
|
internal_collaborator_count |
|
|
|
|
request_id |
|
|
|
|
sha256 |
|
|
|
|
title |
|
|
|
|
total_collaborator_count |
|
|
|
|
true_obj_category |
|
|
|
|
true_obj_type |
|
|
|
|
suppression_start_time |
| suppression_start_time__tmp |
| |
suppression_end_time |
| suppression_end_time__tmp |
| |
src_latitude |
| src_latitude_tmp |
| |
src_longitude |
| src_longitude_tmp |
| |
dst_latitude |
| dst_latitude_tmp |
| |
dst_longitude |
| dst_longitude_tmp |
| |
src_location |
|
|
|
|
src_country |
|
|
|
|
src_zipcode |
|
|
|
|
src_region |
|
|
|
|
dst_location |
|
|
|
|
dst_country |
|
|
|
|
dst_zipcode |
|
|
|
|
dst_region |
|
|
|
|
web_url |
|
|
|
|
org |
|
|
|
|
message |
|
|
|
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
| rawSource | ✓ |